15383 – qt3, qt4, qtbase5 new DoS security issue in QtGui (CVE-2015-0295)

Bug 15383 - qt3, qt4, qtbase5 new DoS security issue in QtGui (CVE-2015-0295)

Summary: qt3, qt4, qtbase5 new DoS security issue in QtGui (CVE-2015-0295)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/635485/
Whiteboard:	has_procedure MGA4-32-OK MGA4-64-OK a...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-02-27 23:56 CET by Luc Menut
Modified:	2015-03-12 16:31 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	qt4-4.8.6-7.mga5, qtbase5-5.4.0-5.mga5, qt4-4.8.6-1.1.mga4, qtbase5-5.2.0-2.3.mga4
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Luc Menut 2015-02-27 23:56:55 CET

Upstream has issued an advisory on February 27 (CVE-2015-0295):
http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
https://bugreports.qt.io/browse/QTBUG-44547 

The builtin BMP decoder in QtGui prior to Qt 5.5 contained a bug that would
lead to a divsion by zero when loading certain corrupt BMP files. This in
turn would cause the application loading these hand crafted BMPs to crash.
It is possible to construct BMP files such that when calculating the masks
required to extract the colour components a division by zero occurred.
An application loading the malicious BMP file will crash.

qt4 and qtbase5 are affected in Cauldron and Mageia 4. Patches for qt 4 and qtbase 5 are available upstream.

Luc Menut 2015-02-27 23:57:06 CET

Whiteboard: (none) => MGA4TOO

Comment 1 David Walser 2015-02-28 00:05:27 CET

Thanks for the report.  I think we should update Mageia 5 to Qt5 5.4.1 as well, but it looks like it'll still need to be patched for this even if we do.

Comment 2 Luc Menut 2015-02-28 00:22:10 CET

(In reply to David Walser from comment #1)
> Thanks for the report.  I think we should update Mageia 5 to Qt5 5.4.1 as
> well
updating Qt5 to 5.4.1 -> update 22 src.rpm, I don't think that this will be accepted in full freeze.

Comment 3 David Walser 2015-02-28 00:28:04 CET

Indeed, probably not.

Comment 4 Luc Menut 2015-02-28 00:50:18 CET

- mga4 : fixed in qt4-4.8.6-1.2.mga4 & qtbase5-5.2.0-2.4.mga4 (builds in progress)
- cauldron : freeze push asked for qt4-4.8.6-8 & qtbase5-5.4.0-6

Blocks: (none) => 14674

Comment 5 Luc Menut 2015-02-28 10:32:26 CET

For Mageia 4 update :

Suggested advisory:
Updated qt4 and qtbase5 packages fix security vulnerability

The builtin BMP decoder in QtGui prior to Qt 5.5 contained a bug that would
lead to a divsion by zero when loading certain corrupt BMP files (CVE-2015-0295).
This in turn would cause the application loading these hand crafted BMPs to crash.
Qt4 and qtbase5 have been patched to prevent this division by zero.

References:
http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
https://bugreports.qt.io/browse/QTBUG-44547

src.rpm
qt4-4.8.6-1.2.mga4.src.rpm
qtbase5-5.2.0-2.4.mga4.src.rpm

packages i586:
libqt3support4-4.8.6-1.2.mga4.i586.rpm
libqt4-devel-4.8.6-1.2.mga4.i586.rpm
libqtclucene4-4.8.6-1.2.mga4.i586.rpm
libqtcore4-4.8.6-1.2.mga4.i586.rpm
libqtdbus4-4.8.6-1.2.mga4.i586.rpm
libqtdeclarative4-4.8.6-1.2.mga4.i586.rpm
libqtdesigner4-4.8.6-1.2.mga4.i586.rpm
libqtgui4-4.8.6-1.2.mga4.i586.rpm
libqthelp4-4.8.6-1.2.mga4.i586.rpm
libqtmultimedia4-4.8.6-1.2.mga4.i586.rpm
libqtnetwork4-4.8.6-1.2.mga4.i586.rpm
libqtopengl4-4.8.6-1.2.mga4.i586.rpm
libqtscript4-4.8.6-1.2.mga4.i586.rpm
libqtscripttools4-4.8.6-1.2.mga4.i586.rpm
libqtsql4-4.8.6-1.2.mga4.i586.rpm
libqtsvg4-4.8.6-1.2.mga4.i586.rpm
libqttest4-4.8.6-1.2.mga4.i586.rpm
libqtxml4-4.8.6-1.2.mga4.i586.rpm
libqtxmlpatterns4-4.8.6-1.2.mga4.i586.rpm
qt4-accessibility-plugin-4.8.6-1.2.mga4.i586.rpm
qt4-assistant-4.8.6-1.2.mga4.i586.rpm
qt4-common-4.8.6-1.2.mga4.i586.rpm
qt4-database-plugin-mysql-4.8.6-1.2.mga4.i586.rpm
qt4-database-plugin-pgsql-4.8.6-1.2.mga4.i586.rpm
qt4-database-plugin-sqlite-4.8.6-1.2.mga4.i586.rpm
qt4-database-plugin-tds-4.8.6-1.2.mga4.i586.rpm
qt4-demos-4.8.6-1.2.mga4.i586.rpm
qt4-designer-4.8.6-1.2.mga4.i586.rpm
qt4-designer-plugin-qt3support-4.8.6-1.2.mga4.i586.rpm
qt4-designer-plugin-webkit-4.8.6-1.2.mga4.i586.rpm
qt4-devel-private-4.8.6-1.2.mga4.noarch.rpm
qt4-doc-4.8.6-1.2.mga4.noarch.rpm
qt4-examples-4.8.6-1.2.mga4.i586.rpm
qt4-graphicssystems-plugin-4.8.6-1.2.mga4.i586.rpm
qt4-linguist-4.8.6-1.2.mga4.i586.rpm
qt4-qdoc3-4.8.6-1.2.mga4.i586.rpm
qt4-qmlviewer-4.8.6-1.2.mga4.i586.rpm
qt4-qtconfig-4.8.6-1.2.mga4.i586.rpm
qt4-qtdbus-4.8.6-1.2.mga4.i586.rpm
qt4-qvfb-4.8.6-1.2.mga4.i586.rpm
qt4-xmlpatterns-4.8.6-1.2.mga4.i586.rpm
libqt5base5-devel-5.2.0-2.4.mga4.i586.rpm
libqt5bootstrap-devel-5.2.0-2.4.mga4.i586.rpm
libqt5concurrent5-5.2.0-2.4.mga4.i586.rpm
libqt5concurrent-devel-5.2.0-2.4.mga4.i586.rpm
libqt5core5-5.2.0-2.4.mga4.i586.rpm
libqt5core-devel-5.2.0-2.4.mga4.i586.rpm
libqt5core-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5dbus5-5.2.0-2.4.mga4.i586.rpm
libqt5dbus-devel-5.2.0-2.4.mga4.i586.rpm
libqt5dbus-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5gui5-5.2.0-2.4.mga4.i586.rpm
libqt5gui-devel-5.2.0-2.4.mga4.i586.rpm
libqt5gui-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5network5-5.2.0-2.4.mga4.i586.rpm
libqt5network-devel-5.2.0-2.4.mga4.i586.rpm
libqt5network-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5opengl5-5.2.0-2.4.mga4.i586.rpm
libqt5opengl-devel-5.2.0-2.4.mga4.i586.rpm
libqt5opengl-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5platformsupport-devel-5.2.0-2.4.mga4.i586.rpm
libqt5platformsupport-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5printsupport5-5.2.0-2.4.mga4.i586.rpm
libqt5printsupport-devel-5.2.0-2.4.mga4.i586.rpm
libqt5printsupport-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5sql5-5.2.0-2.4.mga4.i586.rpm
libqt5sql-devel-5.2.0-2.4.mga4.i586.rpm
libqt5sql-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5test5-5.2.0-2.4.mga4.i586.rpm
libqt5test-devel-5.2.0-2.4.mga4.i586.rpm
libqt5test-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5widgets5-5.2.0-2.4.mga4.i586.rpm
libqt5widgets-devel-5.2.0-2.4.mga4.i586.rpm
libqt5widgets-private-devel-5.2.0-2.4.mga4.i586.rpm
libqt5xml5-5.2.0-2.4.mga4.i586.rpm
libqt5xml-devel-5.2.0-2.4.mga4.i586.rpm
qtbase5-common-5.2.0-2.4.mga4.i586.rpm
qtbase5-common-devel-5.2.0-2.4.mga4.i586.rpm
qtbase5-database-plugin-mysql-5.2.0-2.4.mga4.i586.rpm
qtbase5-database-plugin-odbc-5.2.0-2.4.mga4.i586.rpm
qtbase5-database-plugin-pgsql-5.2.0-2.4.mga4.i586.rpm
qtbase5-database-plugin-sqlite-5.2.0-2.4.mga4.i586.rpm
qtbase5-database-plugin-tds-5.2.0-2.4.mga4.i586.rpm
qtbase5-examples-5.2.0-2.4.mga4.i586.rpm

packages x86_64:
lib64qt3support4-4.8.6-1.2.mga4.x86_64.rpm
lib64qt4-devel-4.8.6-1.2.mga4.x86_64.rpm
lib64qtclucene4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtcore4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtdbus4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtdeclarative4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtdesigner4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtgui4-4.8.6-1.2.mga4.x86_64.rpm
lib64qthelp4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtmultimedia4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtnetwork4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtopengl4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtscript4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtscripttools4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtsql4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtsvg4-4.8.6-1.2.mga4.x86_64.rpm
lib64qttest4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtxml4-4.8.6-1.2.mga4.x86_64.rpm
lib64qtxmlpatterns4-4.8.6-1.2.mga4.x86_64.rpm
qt4-accessibility-plugin-4.8.6-1.2.mga4.x86_64.rpm
qt4-assistant-4.8.6-1.2.mga4.x86_64.rpm
qt4-common-4.8.6-1.2.mga4.x86_64.rpm
qt4-database-plugin-mysql-4.8.6-1.2.mga4.x86_64.rpm
qt4-database-plugin-pgsql-4.8.6-1.2.mga4.x86_64.rpm
qt4-database-plugin-sqlite-4.8.6-1.2.mga4.x86_64.rpm
qt4-database-plugin-tds-4.8.6-1.2.mga4.x86_64.rpm
qt4-demos-4.8.6-1.2.mga4.x86_64.rpm
qt4-designer-4.8.6-1.2.mga4.x86_64.rpm
qt4-designer-plugin-qt3support-4.8.6-1.2.mga4.x86_64.rpm
qt4-designer-plugin-webkit-4.8.6-1.2.mga4.x86_64.rpm
qt4-devel-private-4.8.6-1.2.mga4.noarch.rpm
qt4-doc-4.8.6-1.2.mga4.noarch.rpm
qt4-examples-4.8.6-1.2.mga4.x86_64.rpm
qt4-graphicssystems-plugin-4.8.6-1.2.mga4.x86_64.rpm
qt4-linguist-4.8.6-1.2.mga4.x86_64.rpm
qt4-qdoc3-4.8.6-1.2.mga4.x86_64.rpm
qt4-qmlviewer-4.8.6-1.2.mga4.x86_64.rpm
qt4-qtconfig-4.8.6-1.2.mga4.x86_64.rpm
qt4-qtdbus-4.8.6-1.2.mga4.x86_64.rpm
qt4-qvfb-4.8.6-1.2.mga4.x86_64.rpm
qt4-xmlpatterns-4.8.6-1.2.mga4.x86_64.rpm
lib64qt5base5-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5bootstrap-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5concurrent5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5concurrent-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5core5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5core-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5core-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5dbus5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5dbus-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5dbus-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5gui5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5gui-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5gui-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5network5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5network-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5network-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5opengl5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5opengl-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5opengl-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5platformsupport-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5platformsupport-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5printsupport5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5printsupport-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5printsupport-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5sql5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5sql-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5sql-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5test5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5test-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5test-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5widgets5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5widgets-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5widgets-private-devel-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5xml5-5.2.0-2.4.mga4.x86_64.rpm
lib64qt5xml-devel-5.2.0-2.4.mga4.x86_64.rpm
qtbase5-common-5.2.0-2.4.mga4.x86_64.rpm
qtbase5-common-devel-5.2.0-2.4.mga4.x86_64.rpm
qtbase5-database-plugin-mysql-5.2.0-2.4.mga4.x86_64.rpm
qtbase5-database-plugin-odbc-5.2.0-2.4.mga4.x86_64.rpm
qtbase5-database-plugin-pgsql-5.2.0-2.4.mga4.x86_64.rpm
qtbase5-database-plugin-sqlite-5.2.0-2.4.mga4.x86_64.rpm
qtbase5-database-plugin-tds-5.2.0-2.4.mga4.x86_64.rpm
qtbase5-examples-5.2.0-2.4.mga4.x86_64.rpm

Assignee: lmenut => qa-bugs

Comment 6 David Walser 2015-02-28 21:07:08 CET

Changing the version to 4 since this is assigned to QA.  Leaving the blocker until it's pushed in Cauldron, though.

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 7 David Walser 2015-03-01 22:35:05 CET

qt4-4.8.6-8.mga5 and qtbase5-5.4.0-6.mga5 uploaded for Cauldron.

Component: RPM Packages => Security
Blocks: 14674 => (none)

Comment 8 David Walser 2015-03-04 19:49:18 CET

Fedora has issued an advisory for this on March 1.

URL: (none) => http://lwn.net/Vulnerabilities/635485/

Comment 9 claire robinson 2015-03-06 17:36:18 CET

There is a PoC https://bugreports.qt.io/browse/QTBUG-44547

Also check for obvious regressions in kde.

Whiteboard: (none) => has_procedure

Comment 10 Rémi Verschelde 2015-03-06 19:09:38 CET

I could reproduce the PoC and check that the Qt4 update fixes it on Mageia 4 i586 KDE4. I did not see any obvious regression, but anyway a Qt5 test would also be needed before we put the OK tag.

CC: (none) => remi

Comment 11 David Walser 2015-03-06 19:35:37 CET

Thanks for the PoC link.  I was able to reproduce the issue with gwenview for Qt4 and eyesight for Qt5.  The eyesight package is not available in Mageia 4, only Cauldron, so I rebuilt it on Mageia 4 locally and it built and worked fine.  Both gwenview and eyesight crashed with a floating point error before the update.  After the update, they can't open the image, but they don't crash.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 12 Samuel Verschelde 2015-03-07 17:09:05 CET

Updated my system with all qt4 libs that were locally installed, will report in a few days.

CC: (none) => stormi

Comment 13 David Walser 2015-03-09 23:05:53 CET

Fedora has issued an advisory for qt3 for this on March 1:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/151138.html

Patched packages uploaded for Mageia 4 and Cauldron.

We don't have a way to test qt3 (we only have it for LSB requirements), so just test that the updated packages install cleanly.  I have already confirmed this on Mageia 4 i586.

Updated qt3 packages:
libqt3-3.3.8b-33.3.mga4
qt3-common-3.3.8b-33.3.mga4
libqt3-mysql-3.3.8b-33.3.mga4
libqt3-psql-3.3.8b-33.3.mga4
libqt3-odbc-3.3.8b-33.3.mga4
libqt3-sqlite-3.3.8b-33.3.mga4

from qt3-3.3.8b-33.3.mga4.src.rpm

Only change to the advisory is in the header.

Updated qt3, qt4, and qtbase5 packages fix security vulnerability

The builtin BMP decoder in QtGui prior to Qt 5.5 contained a bug that would
lead to a divsion by zero when loading certain corrupt BMP files (CVE-2015-0295).
This in turn would cause the application loading these hand crafted BMPs to crash.
Qt4 and qtbase5 have been patched to prevent this division by zero.

References:
http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
https://bugreports.qt.io/browse/QTBUG-44547

CC: (none) => luigiwalser
Summary: qt4, qtbase5 new DoS security issue in QtGui (CVE-2015-0295) => qt3, qt4, qtbase5 new DoS security issue in QtGui (CVE-2015-0295)

Comment 14 Shlomi Fish 2015-03-10 14:25:29 CET

Tested the installation and upgrade of qt3, qt4 and qt5 on a Mageia 4 x86-64 VBox VM. Everything is working fine and verified that the proof-of-concept causes gwenview and eyesight to crash before the upgrade and to not crash after it. Marking as MGA-64-OK.

CC: (none) => shlomif
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 15 Rémi Verschelde 2015-03-11 11:43:30 CET

Advisory uploaded, validating. Please push to 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 16 Mageia Robot 2015-03-12 16:31:24 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0105.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.